Statement by Sen. Ernest Hollings (D-SC).
Re: Introduction of S 2201, the Online Personal Privacy Act 2002.
Date: April 18, 2002.
Source: Office of Sen. Hollings.

Mr. President, today I rise to introduce bipartisan legislation that will establish baseline requirements for the protection of personal information collected from individuals over the Internet. This bill, the Online Privacy Protection Act, represents the work of many months and important input from consumer groups, affected individuals, and most importantly, many Senators on the Commerce Committee. The origin of this emerging consensus position began to take shape at a Commerce committee hearing last summer that focused generally on whether their was a need for online privacy legislation. At that time, members of the committee began to articulate the notion that not all personal information is created equal. I agree. Some, highly sensitive personal information, such as personal financial or medical information or a person’s religious beliefs are clearly more sensitive that other garden-variety types of information, such as a pair of slacks that an individual may purchase. Since that hearing, and in numerous meetings with members of the Committee, we have worked hard to develop a balanced approach to Internet privacy regulation that recognizes and builds upon best practices in the online community while establishing a federal baseline standard for the protection of individuals’ privacy on the Internet.

Let me begin by expressing my gratitude to Senators Rockefeller, Inouye, Breaux, and Cleland, who worked closely with me during the last Congress to advocate the need for strong online privacy protections and who have agreed to be original cosponsors of this legislation. In addition, I would also like to particularly thank Senators Kerry, Stevens and Burns for their invaluable contributions throughout this process and their willingness to join with us in working to craft a workable, bipartisan, consensus position on legislation that will provide individuals with better controls over the use of their personal information while fueling the growth of ecommerce as consumer confidence in the Internet spurs a significant increase in online activity.

Some have argued that Americans’ concerns about privacy no longer exist in the aftermath of September 11th. But poll after poll consistently demonstrates that the American people want companies they patronize to seek their permission prior to using their personal information for commercial profit. These concerns are heightened with respect to the Internet, which, in a digital age, enables the seamless compilation of highly detailed personal profiles of Internet users. Accordingly, fears about privacy have had palpable effects on the willingness of consumers to embrace the full potential of the Internet and e-commerce.

Distrust of false privacy promises has sparked a rage of online self-defense, especially the providing of false information by individuals. Industry analysts estimate that between one-fifth to one-third of all individuals provide false personal information on the Internet. This response is understandable given that consumers have few tools to discover whether their personal information is being disclosed, sold, or otherwise misused--and they have virtually no recourse.

Privacy fears are stifling the development and expansion of the Internet as an engine of economic growth. Because of consumer distrust, online companies and services are losing potential business and collecting bad data, blocking the Internet and its wide range of services from reaching its full potential. The lack of enforceable privacy protections is a significant barrier to the full embrace by consumers of the Internet marketplace. According to a recent Harris/Business Week poll, almost two-thirds of non-Internet users would be more likely to use the Net if the privacy of their "personal information and communications were protected." Moreover, according to a recent Forrester study, online businesses lost nearly $15 Billion -- or 27 percent of e-commerce revenues -- due to consumer privacy concerns. Those numbers are significant in light of the economic downturn and its disproportionate impact on the high tech Internet sectors. Good privacy means good business and the Internet economy could use a healthy dose of that right now.

Accordingly, our legislation offers a win-win proposition for consumers and business: it will protect the privacy of individuals online and provide online businesses with a new market of willing customers. While protecting the necessary business certainty of a single federal standard.

Online companies have long argued that privacy regulations would hamper their ability to efficiently conduct business on-line and give consumers the tailored buying experience they now expect from the Internet. Online merchants also touted self-regulation as sufficient privacy protection. We know otherwise.

Privacy violations continue to make headlines: a major outcry erupted last year after Eli Lilly disclosed a list of hundreds of customers suffering from depression, bulimia, and obsessive compulsive disorder over the Internet. Moreover, just last week, a New York Times article ("Seeking Profits, Internet Companies Alter Privacy Policy") recounted how Internet companies such as Yahoo had changed their privacy policies in order to require consumers to restate their privacy preferences even if they had previously withheld consent for the use and commercialization of their personal information. Accordingly, these companies expanded their ability to use an individual’s personal information for online and offline marketing purposes notwithstanding that individual’s prior policy preferences. Still other businesses confound consumers with opaque privacy policies that begin with, "Your privacy is important to us" -- but in the subsequent legalese, outline a series of exceptions crafted with double-negative verbs that allow virtually any use of a consumer’s information. Still other commercial web sites fail to post any privacy policy at all, safe in the knowledge that they face virtually no legal jeopardy for selling personal information.

To be fair, some companies have taken consumer privacy seriously. Earthlink launched a national television advertising campaign touting its policy of not selling customer information. U-Haul’s web site simply says: "We will never sell or share your information with anyone, or send you junk mail -- we hate that stuff, too." Companies like Hewlett Packard, Intel and Microsoft, giants of the high tech industry, already provide individuals opt-in protection with respect to their personal information. But, in the final analysis, despite the best of intentions and some successful efforts, reliance on self-regulation alone has not proven to provide sufficient protection. In its May 2000 Report to Congress, the Federal Trade Commission clearly recognized this shortcoming having studied this issue diligently for five years:

"Because self-regulatory initiatives to date fall short of broad-based implementation of effective self-regulatory programs, the Commission has concluded that such efforts alone cannot ensure that the online marketplace as a whole will emulate the standards adopted by industry leaders ... The Commission recommends that Congress enact legislation that, in conjunction with continuing self-regulatory programs, will ensure adequate protection of consumer privacy online."

Mr. President, our legislation aims to do just that.

Fundamentally, our legislation is built upon the five core principles of privacy protection identified by the Federal Trade Commission in its 1995 report to Congress regarding online privacy -- (1) Notice, (2) Consent, (3) Access, (4) Security and (5) Enforcement. Those principles are tried and true and formed the framework for the bipartisan Children’s Online Privacy Protection Act of 1998. Which was hailed by industry far and wide as a template for protecting children’s personal information that is collected on the Internet.

The bill we introduce today takes a singular approach. It divides online personal information into two categories: sensitive information and non-sensitive information. Sensitive information is narrowly tailored to include actual information about specific financial data, health information, ethnicity, religious affiliation, sexual orientation, and political affiliation, or someone’s social security number. Non-sensitive information is all other personally identifiable information collected online..

In this respect, the legislation is also similar to the two-tiered approach taken by the European Union in which companies are required to provide baseline protections governing the use of non-sensitive information -- and stronger consent protections governing the use of sensitive data. More than 180 American companies -- including Staples, Marriott, Microsoft, Intel, Hewlett Packard, DoubleClick, Kodak and Acxiom -- doing business in Europe have agreed to provide such protections with respect to the personal data of European citizens. They have signed up for the EU Safe Harbor and their names are listed on the Department of Commerce’s web site. Our bill simply asks these and other companies to provide similar protections for U.S. citizens.

First, with respect to notice and consent, the bill would require web sites and online services to post clear and conspicuous notice of its information practices. In other words -- plainly state what to individuals what you plan to do with their personal information. To the extent that a web site collects sensitive information, it would also be required to obtain a consumer’s affirmative consent -- so-called "opt-in" consent" -- prior to the collection of such data. To the extent that a web site collects only non-sensitive personal data, it would be able to collect such data for other uses as long as it provides individuals with an ability to "opt out" of such uses and provides the consumer with actual notice at the point of collection -- so-called "robust notice" -- which briefly and succinctly describes how the information may be used or disclosed.

Many Internet companies are doing this already. For example, on the same page where an individual provides his or her personal information, the web site for 1-800 Flowers states: "You will receiving promotional offers and materials from us and sites and companies we own. Please check the box below if you DO NOT want to receive such materials in the future and do not wish us to provide personal information collected from you to third parties ..." Similarly, NBC’s website says the following on the webpage where individuals register their personal information:

"As our customer, you will occasionally receive email from about new services, features, and special offers we believe would interest you. If you’d rather not receive these updates, please uncheck this box." It’s as simple as that. And it provides the individual the ability to make an informed choice at the critical point at which he or she is providing a company with personally identifiable information.

Next, our legislation requires companies to provide individuals with the ability to find out what personal information a web site has collected about them. While important, this right of reasonable access is not unqualified. Rather, it considers a variety of factors including the sensitivity of the information sought by the consumer and the burden and expense on the provider in giving consumers access to their personal information. In addition, the bill would permit online companies to charge individuals a reasonable fee to access their personal data – as is similarly provided under the Fair Credit Reporting Act.

In addition, our bill requires that web sites adopt reasonable security procedures to protect the security, confidentiality, and integrity of personally identifiable information, just as Congress required in the Children’s privacy legislation.

Moreover, the bill grants consumers important rights of redress. First, the Federal Trade Commission and state attorneys general are empowered to take action. If the FTC collects civil penalties, the bill creates a mechanism whereby those injured can petition to receive up to $200 of the award. For more serious violations involving sensitive information, the bill would additionally permit individuals on their own to pursue redress for damages in federal court.

Finally, in addition to following these fair information principles, the legislation also takes the critical step of establishing a uniform federal standard for online privacy protection by preempting State Internet laws. Inconsistent state regulation of privacy is already causing problems for online businesses. Vermont has adopted "opt-in laws" governing financial and medical privacy. In Minnesota, the state Senate has adopted "opt-in" online privacy legislation by a vote of 96-0. In California, state privacy legislation is again moving through the state legislature, offering the very real possibility that online businesses will sooner rather than later face the prospect of trying to bring their online operation into compliance with inconsistent state laws.

Because new technologies make privacy protection a constantly evolving issue, the bill requires the FTC not only to implement the requirements of the law, but further, to issue periodic reports about how the law is working; whether similar privacy protections should apply offline or to pre-existing data; whether standardized online privacy notices should be developed; if a meaningful safe harbor should be constructed; and whether privacy protection technologies in the marketplace such as P3P can help facilitate the administration of the Act.

Consumer participation in cyberspace should not be conditioned on a willingness to relinquish control over one’s personal information. Rather, for the medium to truly flourish, we must establish baseline consumer protections that will eliminate the tyranny of convenience in which consumers are forced to choose between disclosing private, personal information -- or not using the Internet at all. Congress has a moral obligation to protect American individual liberties, including the right to better control the commercialization of one’s own personal, private information.

Mr. President, this bill is an important first step. The privacy protections in this legislation will instill more confidence in people to use the Internet and create a consistent legal framework for online businesses. It will provide better online privacy protections for consumers, better commercial opportunities for businesses who respond to consumer privacy concerns, and a better future for Americans who will embrace the Internet rather than fear it.

Mr. President, I ask for unanimous consent that both the Bill and my statement be printed in the record.